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[57] ABSTRACT 

A digital certificate is formed firom a digitized representation 
of a unique biological feature of a registrant, for example, 
the registrant's chromosomal DNA. The digital representa- 
tion is signed with the registrant's private encryption key 
and transmitted to a certificate authority. The registrant's 
identity is verified at a remote registration terminal. When 
the registrant's identity has been verified the certificate 
authority forms the certificate by encrypting the digital 
signature with the certificate authority's own encrypting key. 
The certificate is also held in a publicly available directory. 
The certificate is used to authenticate an electronic docu- 
ment by appending the certificate to the electronic docu- 
ment. The document and the certificate are then transmitted 
to a receiving terminal. The identity of the transmitting party 
can be verified by inspecting the certificate. In the event the 
sending party denies sending the document, the biological 
feature can be extracted from the certificate and directly 
compared with the actual biological feature of the sending 
party. 

13 Claims, 9 Drawing Sheets 
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DIGITAL SIGNATURE PROVIDING NON- 
REPUDIATION BASED ON BIOLOGICAL 
INDICIA 

HELD OF THE INVENTION 

llie present invention relates generally to the field of 
authentication of electronic documents, and more particu- 
larly to a Don-reputable digital signature that allows authen- 
tication of the identity of the sender of a message by 
comparison with the sender's unique biological indicia. 

BACKGROUND 

Electronic commerce is rapidly becoming a ubiquitous 
means of conducting business. The growing popularity of 
the Internet and World Wide Web has opened new avenues 
for the conduct of business. Execution of complicated busi- 
ness transactions electronically present a number legal and 
financial problems. 

Security of electronic transactions is an area of concern 
because messages transmitted across public networks can be 
intercepted A number of encryption methods have been 
developed which allow a message to be read only by the 
designated receiver. Using so-called public key encryption, 
party A sending a message to party B first encrypts the 
message using B\s public key, B's public key can be freely 
distributed to anyone B wishes to communicate with. Only 
B*s private key can decrypt the message. B keeps his private 
key secret and uses it to decode the message. If the message 
is intercepted it cannot be decoded without B's private key. 

The identity of a parly transmitting a message executing 
an electronic transaction is also of concern, particularly 
where one of the parties is obliged to perform in the future 
or is subject to some future liability. In such transactions it 
is necessary that the parties not be able to repudiate the 
agreement. Also, the identity of the parties must be clearly 
established so that each can be assured that the other party 
is in fact the person it represents to be, and is able to 
perform. Further, the identity of the parties may need to be 
established with a high degree of certainty to support a legal 
claim, should one of the parties later attempt to avoid or 
repudiate the transaction. 

Digital signatures have been developed to provide a 
means for identifying a party transmitting an electronic 
message. One method for creating digital signatures is to 
generate public and private key pairs for each of a group of 
parties that may wish to exchange digitally signed docu- 
ments. Each of the parties stores its public decrypting keys 
in a registry along with identifying information, such as the 
key owner's name and e-mail address. The key owners each 
keep their private encrypting keys secret. 

To create a digital signature a party encrypts a message 
with his private encrypting key that includes the same 
identifying information that is stored in the registry. The 
party receiving the encrypted message goes to the registry 
and retrieves the sending party's public decrypting key and 
identifying information. The receiving party decrypts the 
message using the decrypting key from the registry and 
extracts the identifying information. If the identifying infor- 
mation found in the message matches the infonnation stored 
in the registry then the receiving party concludes that the 
message is genuine. Further, there is some assurance that the 
sending party will not deny that he sent the message since 
only the sending party's private encrypting key can create a 
message that the sending party's public decrypting key can 
decode, A discussion of known digital signature techniques 
may be found, for example, in Meyer, Carl H. and Matyas, 



)7,518 

2 

Stephen M., Cryptography, Chapter 9, pp. 386-427, John 
Wiley & Sons, 1982. 

Known digital signature techniques suffer from certain 
problems. A third party may intercept a signed message and 

5 use the signed message to spoof another party. By retrans- 
mitting the signed message, the interceptor may be able to 
convince a recipient that he is the true sender. This is the 
so-called "man-in-the-middle" attack. 

In addition, known digital signatures are subject to repu- 

"^^ diation. A party may no longer wish to be bound by a 
disadvantageous agreement or may be subject to criminal or 
civil liability if he made the agreement. That party may 
simply deny sending a particular message. The party may 
claim that he did not intend to execute a transaction with a 

"^^ particular party but was instead the victim of a man-in-the- 
middle attack. 

With known digital signature techniques, the only infor- 
mation connecting the sender with the message is the 
database entry in the registry containing his public decrypt- 
ing key and the identifying information. Thus, the sender 
may repudiate a transaction by claiming that his public 
decrypting key was registered without his authority. 

SUMMARY OF THE INVENTION 

25 

The present invention is directed to methods and appa- 
ratus for forming a digital certificate that provides positive 
user authentication and non-repudiation. It is an object of the 
present invention to provide a digital certificate for authen- 
30 ticating electronically transmitted documents which incor- 
porates a unique characteristic of the sender, such as bio- 
logical indicia that can only have come from the sender 
himself. 

Another object of the present invention is to provide a 
digital certificate that allows positive identification of the 
sender which cannot be repudiated. 

Yet another object of the present invention is to provide 
for encrypting an electronic message using a digital certifi- 
cate based on biological indicia. 

Yet another object of the present invention is to provide a 
method for positively identifying the sender of an electronic 
message signed with a biologically-based digital certificate. 
Broadly, the present invention is directed to methods and 

45 apparatus for creating a digital certificate for use in elec- 
tronic commerce which is based on biological indicia of the 
person providing the digital certificate such that the digital 
certificate provides positive identification of the sender and 
minimizes the ability of the sender to repudiate the authen- 

50 ticity of the certificate and any transaction embodied in an 
electronic document appended to the certificate. 

According to a first aspect of the present invention there 
is provided a user terminal, a certificate authority, and a 
remote registration terminal. A person, hereinafter called a 

55 registrant, wishing to obtain a digital certificate enters a data 
corresponding to a biological or physical characteristic of 
himself, for example, his chromosomal DNA, into a termi- 
nal. Preferably, the data is entered in digital form, but could 
be entered by optical imaging (e.g. a photograph or a 

60 scanned fingerprint, iris, or retina) which is then processed 
into digital form. The digital representation of the regis- 
trant's biological indicia is encrypted using the registrant's 
private key and sent to the certificate authority along with 
the registrant's public key. The certificate authority decrypts 

65 the digital representation and stores it. llie registrant then 
visits a remote registration terminal in person with the 
digital representation and other identifying documents. The 
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Operator of the remote registration terminal verifies the FIG. 7 is a block diagram showing a portion of a terminal 

identity of the registrant from the identifying documents and for receiving and authenticating the electronic message 

transmits the digitized representation to the certificate signed with the digital certificate by the apparatus of FIG. 6 

authority. The certificate authority compares the decrypted according to the second embodiment; 

digital representation with the representation sent from the 5 FIG. 8 is a block diagram showing a validation process 

remote registration terminal. If a match is found, the cer- according to the second embodiment* 

tificate authority forms a certificate by signing the digital 9 ^ ^ ^lock diagram showiiig a digital key entry 

signature usmg the certificate authonty's encryptmg key. system according to a third embodiment of the present 

The certificate is stored in a database and is sent to the invention 

registrant. Preferably, the database is public with no restric- 10 

tion as to who may access the stored certificate data. DETAILED DESCRIPTION 

Alternatively, access to the database may be restricted to, for r , t-ta^o ^ « r r ■ 

I ^\ n ,-1 With reference to FIGS. 1-5, a process for forming a 

example, employees of a particular corporation or govern- , , j* * ^ . . . 

raent departaenl, database subscriber, or members of a digital certificate according to a first embodiment of the 

Stock exchan e 15 P^^^°^ invention will be described. A person wishing to 

^ ■ obtain a certificate, hereinafter called the registrant, first 

Accordmg to another aspect of the present invention, the visits a service provider to obtain a digitized representation 

registrant transmits a digital message including the certifi- of ^ biological characteristic of his or her body. This 

cate descnbed above. The digital message is then encrypted digitized characteristic will be referred to as a bio-blob. A 

with the registrant's private encrypting key. The party bio-blob may be formed from, for example, a digitized 

receivmg the encrypted message decrypts the message using 20 ^^^^ registrant's fingerprint, iris or retina or a digital 

the registrant's public decrypting key. The receiving party representation of a marker plate prepared from the regis- 

inspects the message to verify that the appended certificate team's chromosomal DNA. Other physical characteristics 

IS valid and that the certificate was prepared by a reputable ^ay be used, depending on the degree of security desired, 

certificate authonty by comparing the certificate with the example, an image of the registrant's footprint, 

information stored m the database, llie reputation of the 25 handprint, dental x-ray or other distinguishing characteristic 

certificate authority provides some assurance that the mes- of the registrant's body may be used. The bio-blob may also 

sage is genuine and that the sender will not later repudiate be a combination of digitized images and other identifying 

the message because his signature and identifying infonma- indicia of the registrant and may include, for example, a 

tion are part of the certificate stored in the public database. password such as an alphanumeric string. The service pro- 

If additional assurance that the registrant actually trans- vider may be a medical clinic equipped to handle and 

mitted the message is desired, the receiving party can analyze biological samples. 

transmit the certificate to the certificate authority and request jhe service provider gives the registrant the bio-blob in 

that the certificate be decrypted to extract the digitized digital form. The bio-blob may be provided on any of a 

representation. The digital representation is then compared number of digital media including a magnetic tape or disk, 

with the digital representation originally submitted by the an optical disk, or a digital memory. A preferred medium for 

registrant. If even greater assurance is required, for example, storing the bio-blob is a non- volatile soKd-state memory 

where the registrant later attempts to repudiate the message, incorporated in a so-called smart card for convenience and 

the digital representation can be compared with biological portability 

indicia of the re^strant from which the digital signature was ^ ^ote that in the figures "cylinders" Ulustrate data ele- 

onginauy tormed. ^^^^^^ "boxes" illustrate process functions. The data 

BRIEF DESCRIPTION OF THE DRAWINGS '1^?!^ '^"^ ^ '"^P^''' °^ n^agnetif "Pti^al 

disk drives or in solid state memory devices. The process 

Further characteristics, features, and advantages of the functions may be implemented by a general-purpose 

present invention will be apparent upon consideration of the 45 computer, for example, a personal computer, workstation, or 

following detailed description of the present invention, mainframe computer, under the control of a software pro- 

taken in conjunction with the following drawings, in which gram. The functions described herein may also be performed 

like reference characters refer to like parts, and in which: by special purpose computing devices designed to perform 

FIG. 1 is a block diagram of a terminal used for forming specific data processing tasks, or by a combination of 

a digital certificate according to a first embodiment of the 50 general purpose and special purpose processors, 

present invention; FIG. 1 shows a terminal 1 owned by or associated with the 

HG. 2 is a block diagram showing components connected registrant. Alternatively, the terminal 1 may be a device 

by a communication network for forming a digital certificate ^ ^^^^^ P^^y "^^^^^ ^ provided for the registrant's 

according to the first embodiment; exclusive use in a manner explamed below. The terminal 1 

T-Ti- -» • ui 1 J- L • , r 55 may be, for example, a computer workstation. The terminal 

HG 3 IS a block diagram showmg the components of a ^^^^^^^^ ^^-^^ ^ ^^J^^ 3 ^ ^^^^ ^ containing the 

registration proce^ of a certificate authority used for form- 5 ^^^^^^^ ^ ^^^-^ .^^^ inserted into 

ing a digital certificate according to the first embodmient; ^^e reader 3 and the bio-blob data 5 is transferred to the 

FIG. 4 is a block diagram showmg a remote registration terminal 1. The data 2 is preferably a smart card and the 

terminal for formmg a digital certificate according to the first reader 3 is preferably a smart card reader, each of which is 

embodiment; conventional in design and use. 

FIG. 5 is a block diagram showing the certification A hash function 7 receives the bio-blob data 5 and 

process of the certificate authority for forming a certificate calculates a hashed bio-blob 9. The hashed bio-blob 9 is a 

according to the first embodiment; fixed length string which is a compressed version of the 

FIG. 6 is a block diagram showing a terminal used for 65 original bio -blob data 5. llie hash function 7 is selected so 

signing an electronic message with a digital certificate that the bio-blob 5 is efficiently converted to the hashed 

according to a second embodiment of the present invention; bio-blob 9, but it is infeasible to generate a bio-blob that 
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hashes to a given value. If the integrity of the hashed communication network 23 instructing the registrant to 

bio-blob 9 is violated, because of transmission errors or complete the registration process. The bio-blob 5 remains in 

intentional manipulation, a receiving device can detect the the bio-blob queue 35. 

violation using known error detection techniques. jhe registrant goes to a remote registration terminal 43 
A public/private key function 11 calculates a private 13 5 with the smart card 2 containing the digitized bio-blob 5 and 

and public 15 key pair for the registrant. The key pair 13, 15 physical identification which confirm the information 

is designed to function with a so-called pubhc-key algo- entered in the registration form 16. The physical identifica- 

rithm. Messages encrypted with the private key 13 may be tion may be, for example, the registrants driver's license, 

decrypted with the public key 15. However, knowledge of passport, or other government-issued identification card, 
the public key 15 does not allow efiScient calculation of the 10 Preferably, the physical identification includes a photograph 

private key 13. For example, the key pair 13, 15 may be of the registrant. The remote registration terminal 43 is 

generated to work in the so-called RSA algorithm. located at a service provider and the registrant must be 

The hashed bio-blob 9 and the private key 13 are received physically present to be registered. An operator at the remote 

by the signature function 17. The signature function 17 signs registration terminal 43 enters identifying information from 

the hashed bio-blob 9 by encrypting it with the private key the physical identification into a verification form 18. The 

13 to generate the signature 19. The registrant enters iden- verification form 18 may be an HTML page which queries 

tifying information into a registration form 16. The regis- operator of the remote registration terminal for the same 

tration form 16 is an electronic document which queries the information requested by the registration form 16. 

registrant for identifying information such as the registrant's FIG. 4 shows the remote registration terminal 43 in detail, 

name, social security number, mother's maiden name, The bio-blob 5 stored on the smart card 2 is read by a reader 

address, and telephone number. The registration form 16 45 and sent to the registration input process 47. The operator 

may be a so-called Hypertext Mark-up Language (HTML) enters information to the verification form 18 using an input 

page. device 49. The input device 49 may be a keyboard or a 

The pubhc key 15 is combined with the registration form pointing device coupled to a graphical user interface. The 

16 to create a message 18. The message 18 and the signature registration input process 47 combines the bio-blob 5 with 

19 are formatted by the browser function 21 for transmission ^he verification form 18 to generate a registration request 5L 

across a communication network 23 via a modem 22. The registration request 51 is formatted by the coramunica- 

modem 22 formats the transmitted signal in a form which is ^0° manager 53, transmitted by the modem 54 and sent to 

compatible with the communication network. The commu- the registration process 24 of the certificate authority 25 

nication network 23 may be, for example, an intranet, an across the communication network 23. 

internet or an extranet. The communication network 23 may Referring again to FIG. 3, modem 28 receives the regis- 

be implemented, for example, using a public data network tration request 51 and sends it to the registration manager 

(PDN) or a private communication link, such as wide area input process 55. The registration request 51 is stored in the 
network, a local area network, or a dedicated telephone Une. ^5 registration queue 57. The registration process 59 retrieves 

The communication network 23 allows communication the registration request 51 from the registration queue 57 

between and among the terminal 1, a public directory 4, a and extracts the bio-blob 5. The bio-blob 5 is stored in the 

certificate authority 25, a registration manager 43, and a registered bio-blob database 39 along with the verification 

receiving terminal 83. The certificate authority 25 includes form 18, 

a registration process 24 and a validation process 26. FIG. 2 rht compare function 37 compares each newly registered 

shows the registrant's termmal 1 connected with the com- bio-blob in the registered bio-blob database 39 with the 

munication network 23. bio-blobs stored in the bio-blob queue 35. When the regis- 

The message 18 and signature 19 are transmitted from the trant's bio-blob is found in both the bio-blob queue 35 and 

terminal 1 to the certificate authority 25. FIG. 3 shows the registered bio-blob database 39, the compare function 37 
registration process 24 of the certificate authority 25 in 45 sends a message to the certification process 61 indicating 

detail. Digital signals are received firom the communication that a match has been found. The compare function 37 also 

network 23 by the modem 28 which sends the message 18 compares the registration form 16 with the verification form 

and signature 19 to the user input registration process 27. 18 submitted from the remote registration terminal 43 to 

The user input registration process 27 parses the message 18 verify the identity of the registrant, 
and signature 19 firom the communication network 23. The 50 The certification process 61 is shown in detail in FIG. 5. 

public key 15, registration form 16, and signature 19 are when a message is received from the compare function 37 

stored in the mput queue 29. The decryption process 31 indicating a match between the bio-blob queue 35 and the 

retrieves the signature 19 and public key 15 fi-om the input registered bio-blob database 39, the registration form 16, 

queue 29. The decryption process 31 decrypts the signature public key 15, and signature 19 are retrieved from the input 
19 using the pubhc key 15 to recover the hashed bio-blob 9. 55 queue 29. A key function 63 generates a certificate signing 

The hashed bio-blob 9 is then de-hashed by the de-hashing key 65 and a certificate public key 67. The certification 

function 33 to recover the bio-blob 5. The bio-blob 5 is process 69 encrypts the signature 19 using the certificate 

stored as a flat file in the bio-blob queue 35. authority's signing key 65. The encryption process 69 

The compare function 37 retrieves the bio-blob 5 from the appends certificate authority identity information 70 to the 
bio-blob queue 35 and compares it with bio-blobs stored in 60 encrypted signature 19. The identity information 70 may be 

the registered bio-blob database 39. The registered bio-blob contained on an HTML page capable of supporting active 

database 39 contains bio-blobs from persons who have links across the communication network 23. The encrypted 

completed the registration process, as will be described later. signature 19 and identity information 70 form the certificate 

Because the registrant has not yet completed the registration 71. The certificate 71 is sent to the registrant's terminal 1 via 
process, no match will be found by the compare function 37. 65 the communication network 23. ITie certificate 71 is also 

The compare function 37 sends a command to the rejection stored in certificate archive 73 along with the certificate 

process 41 which sends a message to the terminal 1 via the authority's public key 67. 
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The certificate 71 is sent to a public directory 4 via the archive 73 and is used by the decryption process 72 to 

communication network 23. According to a preferred decrypt the certificate 71 to extract the digital signature 19. 

embodiment, any terminal connected to the communication The registrant's public key 15 is then used by the decryption 

network 23 may read the public directory 4. Alternatively, process 74 to decrypt the signature 19 to extract the hashed 
access to the directory 4 may be hmited to certain authorized 5 bio-blob 9. The hashed bio -blob 9 is dehashed by the dehash 

persons. The public directory 4 contains all the valid cer- process 76Ato extract the bio-blob 5, The compare function 

tificates for each registrant on the communication network ^'^ retrieves the bio-blob 5 that was stored in the registered 

23. The public directory 4 also contains a list of certificates bio-blob database 39 during the registration process and 

that are no longer valid. Parties can compare certificates compares it with the bio-blob 5 extracted from the certificate 
received with electronic documents against the certificates lO 

stored in the public directory 4 via the communication V"^ identity of the person sending the message may be 

network 23 to determine if a document includes a vaUd Positively confirmed by comparing the bio-b ob 5 extracted 

certificate. The identity information 70 in each certificate ^^^'^ the certificate 71 to an actual biolo|cal feature of the 

may include an active link to the public directory 4 allowing l''"?? ^".'^'^ *° f """^fT / ' nS^^^' 

, , . . . J 1- r ■ i j bio-blob 5 were a digital representation of a DNA marker 

a party to access the valid certificates and list of invalid as ^^.^ f,„™ 7u^ ,u • •^ 

r^-a * • ^1 plate prepared irom the registrant s tissue, then a similar 

certificates conveniently. i f. ut. \. r 

^ marker plate could be prepared from tissue taken from the 

There is an advantage m having the digital signature 19 aUeged sender's body. If the bio-blob 5 matches the aUeged 

prepared at the registrant's terminal 1 and then havmg the sender's marker plate then it is virmally certain that the 

registrant register in person at the remote registration ter- sender is the registrant 

minal 43 using his bio-blob 5. The registrant maintains 20 ^.^.^^^ certificate 71 described above may be used to 

control over the key pair 13, 15, as well as his bio-blob 5 authenticate electronic document 75 transmitted between 

stored on the smart card 2, which were used to prepare the ..^^te parties via a communication network 23, However, 

signature 19 that forms the basis for the certificate 71. The t^e invemion is not limited to this type of communication, 

registrant cannot later claim that a certificate 71 was pre- ^he digital certificate 71 according to the present invention 

pared without his authorization. 25 ^ ^^^^^^^^^ digital message where non- 

If the key pair 13, 15 or the smart card 2 are disclosed to repudiation and positive identification are required. FIG. 9 

others, the registrant must inform the public directory 4 to illustrates a third embodiment of the present invention where 

add the certificate 71 to the list of invalid certificates. A new the digital certificate 71, formed according to the first 

certificate will have to be prepared. If another party receives embodiment, is incorporated into a key access card 91 to be 

an electronic document signed using the now invalid used, for example, by an employee to gain access to a 

certificate, that party will know that the document cannot be restricted area of an employer's building. The digital cer- 

relied upon. tificate 71 is stored in a memory on the card 91 along with 

FIGS. 6, 7, and 8 show an apparatus for sending signed conventional identifying information such as the employee's 

electronic messages via the communication network 23 name 92. The memory may be a solid-state device, a 

according to a second embodiment of the present invention. magnetic strip, a pattern of marks or another known tech- 

FIG. 6 shows the process of sending a message from the nique for storing digital data. The registrant, for example, an 

registrant's terminal 1 using the certificate 71. A transaction employee seeking access to a restricted area, presents the 

message 75 is formed including, for example, a contract the card 91 to a card reader 93. The reader 93 retrieves the 

user wishes to execute with the operator of the receiving certificate 71 and name 92 from the card 91 and communi- 

terminal 83. Tlie encryption process 77 joins the transaction cates them to a processor 97 via an internal network 95. The 

message 75 with the certificate 71 and encrypts the result processor 97 compares the certificate 71 with a database of 

using the registrant's private key 13 to form the signed valid certificates 101 and if a match is found, the employee 

message 79. The signed message 79 is transmitted by the is allowed access. The employee name 92 and certificate 71 

modem 80 and sent via the communication network 23 to a are stored in an access database 99 by the processor 97. 

receiving terminal 83. Routine reports of access activity can be generated based on 

HG. 7 shows the authentication ofthe signed message 79 ^^e employee name 92 alone. If positive proof that a 

by the receiving terminal 83. The signed message 79 is particular employee entered the restricted area, for example 

received by the modem 76 and is decrypted by the decryp- "^^^^^ a crime has been committed, the digital certificate 71 

tion process 85 using the registrant's public key 15 thereby 50 ^^J^ retrieved from the access database 99 and the 

recovering the transaction message 75 and the certificate 71. bio-blob 5 encoded therein can be compared with the 

An authentication process 87 inspects the identity informa- biological indicia of the employee. 

tion 70 which is part of the certificate 71. The authentication above embodiments are illustrative of the present 

process 87 accesses the public directory 4 via the commu- invention. While these are presently considered the most 
nication network 23 to verify that the certificate 71 is valid. 55 practical and preferred embodiments, it is to be understood 

According to a preferred embodiment an active link to the that the invention is not limited by this disclosure. This 

public directory 4 embedded in the identity information 70 invention is intended to cover various modifications and 

simplifies this process. For transactions where there is little equivalent arrangements included within the spirit and scope 

risk that a message is fraudulent, simply verifying that the of the invention, as will be apparent to a person of ordinary 

sender has a valid certificate 71 from a reputable certificate ^^^^ ^° 

authority 25 is sufficient to proceed with the transaction. claim: 

An additional level of security can be obtained by recov- ^* ^ ^^^^ ^^^^ comprising: 

ering the bio-blob 5 from the certificate 71 and comparing it ^ memory; 

with the bio-blob 5 encrypted within the certificate 71 stored a reader connected to the memory; 
in the public directory 4. FIG. 8 shows a validation process 65 information stored in the memory identifying a registrant; 

26 performed by the certificate authority 25. llie certificate a digital certificate stored in the memory, wherein the 

authority public key 67 is retrieved from the certificate digital certificate includes a digitized biological 
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indicium, the biological indicium uniquely identifying 
the registrant; 

a certificate database containing a verified copy of the 

digital certificate; 
an access database; and 5 
a processor connected to the reader, the certificate data- 
base and the access database, wherein the processor 
commands the reader to read the digital certificate and 
the identifying information from the memory, com- 
pares the digital certificate from the memory with the lo 
verified copy in the certificate database and stores the 
identifying information in the access database. 

2. A method for forming a certificate for authentication of 
electronic messages, the method comprising: 

providing a digital representation of a biological indicium is 

of a registrant; 
forming a first encrypting key according to a public key 

algorithm; 

encrypting the digitized representation using the first 
encrypting key to form a digital signature; 20 

transmitting the digital signature to a certificate authority; 

forming a second encrypting key according to the public 
key algorithm; and 

encrypting the signature using the second encrypting key 
by the certificate authority to form the certificate. 

3. The method according to claim 2 further comprising 
providing a workstation in the custody of the registrant and 
performing at least one of the first encrypting step and the 
second encrypting step at the workstation. 

4. A method for forming a certificate for authentication of '^^ 
electronic messages, the method comprising: 

entering information identifying a registrant; 
providing a digital representation of a biological indicium 

of the registrant; 
first encrypting the digital representation to form a digital 

signature; 

appending the identifying information to the digital sig- 
nature; 

transmitting the digital signature to a certificate authority; 40 
verifying the entered identifying information at a remote 
registration terminal to generate verification informa- 
tion; 

transmitting the verification information from the remote 
registration terminal to the certificate authority; and 45 

second encrypting the digital signature by the certificate 
authority to form the certificate. 

5. A method of authenticating an electronic document, the 
method comprising: 

providing a digitized biological indicium of a registrant; ^0 
first encrypting the digitized biological indicium to form 

a digital signature; 
storing the digitized biological indicium on a storage 

medium; 

transmitting the digital signature to a certificate authority 
from a registrant terminal; 

decrypting the digital signature to extract the digitized 
biological indicium; 

registering the registrant by entering identifying informa- go 
tion provided by the registrant into a registration ter- 
minal; 

retrieving the digitized biological indicia from the storage 

medium by the registration terminal; 
transmitting the identifying information and the digitized 65 

biological indicium to the certificate authority from the 

registration terminal; 
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comparing the transmitted digitized biological indicium 
with the digitized biological indicium extracted by the 
certificate authority; 

second encrypting the digital signature to form a certifi- 
cate; 

storing the certificate in a registry; 

appending the certificate to the electronic document to 

form a signed document; 
transmitting the signed document to a receiving terminal 

by an electronic transmission means; 
extracting the certificate from the transmitted signed 

document; and 
comparing the extracted certificate with the certificate 

stored in the registry. 

6. A method of authenticating an electronic document, the 
method comprising: 

providing a digitized biological indicium of a registrant; 

first encrypting the digitized biological indicium to form 

a digital signature; 
authenticating the digital signature; 
generating a second private encrypting key and second 

public decrypting key by a certificate authority; 
encrypting the digital signature using the second private 

encrypting key to form a certificate; 
storing the second public decrypting key in a registry; 
appending the certificate to the electronic document to 

form a signed document; 
transmitting the signed document to a receiving terminal 

by an electronic transmission means; 
extracting the certificate from the transmitted signed 

document; and 
comparing the extracted certificate with the certificate 

stored in the registry. 

7. The method according to claim 6 further comprising: 
retrieving the second public decrypting key firom the 

registry; 

decrypting the certificate using the second public decrypt- 
ing key to obtain the digital signature; 

decrypting the digital signature using the first public 
decrypting key to extract the digitized representation; 
and 

comparing the extracted digitized representation with the 
biological indicium of the registrant. 

8. An apparatus for forming a certificate comprising: 

a storage medium containing a digital representation of a 

biological indicium of a registrant; 
a terminal including: 
input means for reading the storage medium and for 

inputting the digital representation; 
first encrypting means for encrypting the digitized 

representation to form a digital signature; and 
transmitting means for transmitting the digital signa- 
ture; and 

a certificate authority, the certificate authority including: 
receiving means for receiving the transmitted digital 
signature; 

decrypting means for decrypting the digital signature to 

extract the digital representation; 
authenticating means for verifying that the biological 

indicium represented by the digital representation 

corresponds to the registrant; and 
second encrypting means for encrypting the digital 

signature to fomi the certificate. 
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9. The apparatus according to claim 8 wherein the termi- 
nal includes hashing means for hashing the digital repre- 
sentation. 

10. The apparatus according to claim 8 wherein the 
transmitting means includes a communication network, s 

11. The apparatus according to claim 10 wherein the 
authenticating means includes a remote registration tenninal 
connected with the certificate authority via the communica- 
tion network, 

12. The apparatus according to claim 11 wherein the lO 
remote registration terminal includes a reader for reading the 
digital representation from the storage medium and input 
means for inputting information identifying the registrant. 

13. An apparatus for forming a certificate comprising: 

a communication network; 15 
a memory containing a digital representation of a biologi- 
cal indicium of a registrant; 
a terminal including: 

a reader responsive to the memory to capture the digital 

representation; 
a first encrypting processor connected with the reader; 
and 

a first modem connected with the first encrypting 
processor, wherein the first encrypting processor ^5 
encrypts the digital representation retrieved from the 
memory to form a digital signature and causes the 
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first modem to transmit the digital signature via the 
communication network; and 
a certificate authority, the certificate authority including: 

a second modem connected with the communication 
network, wherein the second modem receives the 
digital signature from the communication network; 

a decrypting processor connected with the second 
modem, wherein the decrypting processor receives 
the digital signature from the second modem and 
decrypts the digital signature to recover the digital 
representation; 

a comparator connected to the decrypting processor, 
wherein the comparator receives the digital repre- 
sentation from the decrypting processor and com- 
pares the digital representation with a verified digital 
signature and, if a match is found between the digital 
signature and the verified digital signature, the com- 
parator generates an authenticated signal; and 

a second encrypting processor connected with the com- 
parator and responsive to the authenticated signal, 
wherein, in response to the authenticated signal, the 
second encrypting processor encrypts the digital 
signature thereby forming a digital certificate, 

♦ * ♦ ♦ * 
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